Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: Remote File Attachment Theft via comm.lycos.com,angelfire.com, eudoramail.com
From: Philip Stoev (philipSTOEV.ORG)
Date: Tue Nov 28 2000 - 14:18:58 CST
- Next message: CDI: "Cisco 675 Denial of Service Attack"
- Previous message: Geo.: "Re: Submission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Date Published: November 28, 2000
Title: Remote File Attachment Theft via comm.lycos.com,angelfire.com,
Class: Access Validation Error
Remotely Exploitable: Yes
WebMail (possibly WhoWhere.com software) as installed on
comm.lycos.com, angelfire.com, eudoramail.com and others allows an
attacker to hijack other people's attachments by modifying the hidden
form fields on the compose message form. If a file is attached to a
message, the compose message form has a hidden form field that looks
something like this:
filename.txt = /tmp/cache/24377.550
By setting it to a similar value, one can send email containing
someone else's attachments. For example:
filename.txt = /tmp/cache/24377.549
It was also possible to do ../..-style directory transversal.
The nature of the problem lies in the following:
1. User is allowed to reference attachments belonging to other users,
that is, there were no file-ownership checks.
2. User input was not validated for ".." character sequences.
3. Naming of temporary files followed an easy-to-predict numbering
Technical Description - Exploit/Concept Code:
This problem is trivial to exploit by hand by saving the compose
message HTML form locally and modifying it. However, it is imperative
to note that enforcing strict user-agent, cookie and referer check
does not prevent such vulnerabilities from being exploited. There are
publicly available tools (Such as The ELZA at www.stoev.org) that
allow for the exploitation of such vulnerabilities, while preserving
stealth behavior with respect to cookies, referers and user-agent
strings to the extent required to keep the web site software happy.
The vendor has fixed this particular problem, however all web mail
vendors are hereby urged to evaluate their systems for similar
Vendor notified on: November 8, 2000
Credits: This vulnerability was discovered and reported by Philip
This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories please mail vulnhelpsecurityfocus.com.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: www stoev org
-----END PGP SIGNATURE-----